SQL到PDO，用于将表内容传输到另一个表

Question

I am trying to change a email confirmation function written in sql to PDO. This is the tutorial for your further reference: http://www.phpeasystep.com/phptu/24.html .

This particular section will move the user's information from the temporary table to the permanent table after they click on the verification link sent to their email.

The problem I am having is under this header within that tutorial: STEP4: confirmation.php

My code is similar to that, but I added a few prepared statements as I am trying to prevent SQL injection.

To be clear: I am looking for direction on what else I need to do to switch this from sql to PDO and prevent any sql injection. Examples when providing an answer are crucial as I am a visual learner. Thank you.

Here is my code:

<?php

include('config.php');

//Test DB connection
try {
    $conn = new PDO("mysql:host=$Host;db=$svrDb", Username, $Password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} 
catch(PDOException $e) {
    echo 'ERROR: ', $e->getMessage(), "\n";
}

// Passkey that got from link
$passkey=$_GET['passkey'];

$sql1= $conn->prepare("SELECT * FROM temp_members_db WHERE confirm_code ='$passkey'");
$sql_conf1->execute() or die ('Error updating database: '.mysql_error());
$result1=$sql1->fetchall();

// If successfully queried
if($result1){

// Count how many row has this passkey
$count=mysql_num_rows($result1);

// if found this passkey in our database, retrieve data from table "temp_members_db"
if($count==1){

$name=$rows['name'];
$email=$rows['email'];
$password=$rows['password'];
$country=$rows['country'];

// Insert data that retrieves from "temp_members_db" into table "registered_members"
$sql2="INSERT INTO registered_members(name, email, password, country)VALUES('$name', '$email', '$password', '$country')";
$result2=mysql_query($sql2);
}

// if not found passkey, display message "Wrong Confirmation code"
else {
echo "Wrong Confirmation code";
}

// if successfully moved data from table"temp_members_db" to table "registered_members" displays message "Your account has been activated" and don't forget to delete confirmation code from table "temp_members_db"
if($result2){

echo "Your account has been activated";

// Delete information of this user from table "temp_members_db" that has this passkey
$sql3="DELETE FROM temp_members_db WHERE confirm_code = '$passkey'";
$result3=mysql_query($sql3);

}

}
?>

Answer 1

Ok, so you're on the right track but not quite....

The whole reason you use Prepared Statements is so that the database knows what to interpret as SQL, and what not to interpret as SQL. Right now, you have the following:

$sql1= $conn->prepare("SELECT * FROM temp_members_db WHERE confirm_code ='$passkey'");
$sql_conf1->execute() or die ('Error updating database: '.mysql_error());
$result1=$sql1->fetchall();

To take full advantage of PDO and Prepared Statements you should change it to something like this:

$sql1= $conn->prepare("SELECT * FROM temp_members_db WHERE confirm_code = ?");
try{
     $sql1->execute(array($passkey));
}catch(PDOException $e){
     print "Error!: " . $e->getMessage() . "<br/>";
     die();
}
$result1=$sql1->fetchall();

There are a couple reasons for this. In your code, you send the variable $passkey along with your prepare statement, so in essence the prepare operation is useless because $passkey has not been sanitized. Notice in my code I replaced it with a ? . This tells the database:

"Hey, I'm going to be executing a SELECT statement and I'm going to replace the ? with a value from one of my variables, so don't interpret that as SQL!"

Here is a great resource for PDO:

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers